Snort IPS - cisco.com · Snort IPS...

Snort IPS

The Snort IPS feature enables Intrusion Prevention System (IPS) or Intrusion Detection System (IDS) forbranch offices on Cisco 4000 Series Integrated Services Routers and Cisco Cloud Services Router 1000vSeries. This feature uses the open source Snort solution to enable IPS and IDS. The Snort IPS feature isavailable in Cisco IOS XE Release 3.16.1S, 3.17S, and later releases.

The Virtual Routing and Forwarding (VRF) feature is supported on Snort IPS configuration from CiscoIOS XE Denali Release 16.3.1 and later releases.

Note

This module explains the feature and how it works.

• Finding Feature Information, page 1

• Restrictions for Snort IPS, page 2

• Information About Snort IPS, page 2

• How to Deploy Snort IPS, page 7

• Configuration Examples for Snort IPS, page 20

• Examples for Displaying Active Signatures, page 26

• Verifying the Integrated Snort IPS Configuration, page 27

• Deploying Snort IPS Using Cisco Prime CLI Templates, page 34

• Troubleshooting Snort IPS, page 35

• Additional References for Snort IPS, page 41

• Feature Information for Snort IPS, page 42

Finding Feature InformationYour software release may not support all the features documented in this module. For the latest caveats andfeature information, see Bug Search Tool and the release notes for your platform and software release. Tofind information about the features documented in this module, and to see a list of the releases in which eachfeature is supported, see the feature information table.

Security Configuration Guide: Unified Threat Defense, Cisco IOS XE Release 3S 1

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_utd/configuration/xe-3s/sec-data-utd-xe-3s-book/snort-ips.html

https://tools.cisco.com/bugsearch/search

Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Restrictions for Snort IPSThe following restrictions apply to the Snort IPS feature:

• Incompatible with the Zone-Based Firewall SYN-cookie feature.

• Network Address Translation 64 (NAT64) is not supported.

• IOS syslog is rate limited and as a result, all alerts generated by Snort may not be visible via the IOSSyslog. However, you can view all Syslog messages if you export them to an external log server.

Information About Snort IPS

Snort IPS OverviewThe Snort IPS feature enables Intrusion Prevention System (IPS) or Intrusion Detection System (IDS) forbranch offices on Cisco 4000 Series Integrated Services Routers and Cisco Cloud Services Router 1000vSeries. This feature uses the Snort sensor to provide IPS and IDS functionalities.

Snort is an open source network IPS that performs real-time traffic analysis and generates alerts when threatsare detected on IP networks. It can also perform protocol analysis, content searching or matching, and detecta variety of attacks and probes, such as buffer overflows, stealth port scans, and so on. The Snort sensor runsas a virtual container service on Cisco 4000 Series Integrated Services Routers and Cisco Cloud ServicesRouter 1000v Series.

The Snort IPS feature works in the network intrusion detection and prevention mode that provides IPS or IDSfunctionalities. In the network intrusion detection and prevention mode, Snort performs the following actions:

• Monitors network traffic and analyzes against a defined rule set.

• Performs attack classification.

• Invokes actions against matched rules.

Based on your requirements, you can enable Snort either in IPS or IDS mode. In IDS mode, Snort inspectsthe traffic and reports alerts, but does not take any action to prevent attacks. In IPS mode, in addition tointrusion detection, actions are taken to prevent attacks.

The Snort IPS monitors the traffic and reports events to an external log server or the IOS syslog. Enablinglogging to the IOS syslog may impact performance due to the potential volume of log messages. Externalthird-party monitoring tools, which supports Snort logs, can be used for log collection and analysis.

Snort IPS Signature PackageThe UTD OVA is included in the security license of the router. By default, the router is loaded only withcommunity signature package. There are two types of subscriptions :

Security Configuration Guide: Unified Threat Defense, Cisco IOS XE Release 3S2

Snort IPSRestrictions for Snort IPS

http://www.cisco.com/go/cfn

• Community Signature Package

• Subscriber-based Signature Package

The community signature package rule set offers limited coverage against threats. The subscriber-basedsignature package rule set offers the best protection against threats. It includes coverage in advance of exploits,and also provides the fastest access to the updated signatures in response to a security incident or the proactivediscovery of a new threat. This subscription is fully supported by Cisco and the package will be updated onCisco.com. You can download the subscriber-based signature package from the Download Software page.

If the user downloads the signature package manually from the download software page, then the user shouldensure that the package has the same version as the Snort engine version. For example, if the Snort engineversion is 2982, then the user should download the same version of the signature package. If there is a versionmismatch, the signature package update will be rejected and it will fail.

When the signature package is updated, the engine will be restarted and the traffic will be interrupted orbypass inspection for a short period depending on their data plane fail-open/fail-close configuration.

Note

Snort IPS SolutionThe Snort IPS solution consists of the following entities:

• Snort sensor—Monitors the traffic to detect anomalies based on the configured security policies (thatincludes signatures, statistics, protocol analysis, and so on) and sends alert messages to the Alert/Reportingserver. The Snort sensor is deployed as a virtual container service on the router.

• Signature store—Hosts the Cisco Signature packages that are updated periodically. These signaturepackages are downloaded to Snort sensors either periodically or on demand. Validated Signature packagesare posted to Cisco.com. Based on the configuration, signature packages can be downloaded fromCisco.com or a local server.Signature packagesmust bemanually downloaded fromCisco.com to the local server by using Cisco.comcredentials before the Snort sensor can retrieve them.

The Snort container will perform a domain-name lookup to resolve the location for automatic signatureupdates from Cisco.com or the local server, if the URL is not specified as the IP address.

• Alert/Reporting server—Receives alert events from the Snort sensor. Alert events generated by the Snortsensor can either be sent to the IOS syslog or an external syslog server or to both IOS syslog and externalsyslog server. No external log servers are bundled with the Snort IPS solution.

• Management—Manages the Snort IPS solution. Management is configured using the IOS CLI. SnortSensor cannot be accessed directly, and all configuration can only be done using the IOS CLI.

Overview of Snort Virtual Service InterfacesThe Snort sensor runs as a service on routers. Service containers use virtualization technology to provide ahosting environment on Cisco devices for applications.

You can enable Snort traffic inspection either on a per interface basis or globally on all supported interfaces.The traffic to be inspected is diverted to the Snort sensor and injected back. In Intrusion Detection System


Snort IPSSnort IPS Solution

https://software.cisco.com/download/release.html?mdfid=284389362&softwareid=286285292&release=2982.2.s&relind=AVAILABLE&rellifecycle=&reltype=latest

(IDS), identified threats are reported as log events and allowed. However, in Intrusion Prevention System(IPS), action is taken to prevent attacks along with log events.

The Snort sensor requires two VirtualPortGroup interfaces. The first VirtualPortGroup interface is used formanagement traffic and the second for data traffic between the forwarding plane and the Snort virtual containerservice. Guest IP addresses must be configured for these VirtualPortGroup interfaces. The IP subnet assignedto the management VirtualPortGroup interface should be able to communicate with the Signature server andAlert/Reporting server.

The IP subnet of the second VirtualPortGroup interface must not be routable on the customer network becausethe traffic on this interface is internal to the router. Exposing the internal subnet to the outside world is asecurity risk. We recommend the use of 192.0.2.0/30 IP address range for the second VirtualPortGroup subnet.The use of 192.0.2.0/24 subnet is defined in RFC 3330.

You can also use the management interface under the virtual-service command for management traffic. Ifyou configure the management interface, you still need two VirtualPortGroup interfaces. However, do notconfigure the guest ip address for the first VirtualPortGroup interface.

You can assign the Snort virtual container service IP address on the same management network as the routeron which the virtual service is running. This configuration helps if the syslog or update server is on themanagement network and is not accessible by any other interfaces.

Virtual Service Resource ProfileThe Snort IPS virtual service supports three resource profiles: Low,Medium, and High. These profiles indicatethe CPU and memory resources required to run the virtual service. You can configure one of these resourceprofiles. The resource profile configuration is optional. If you do not configure a profile, the virtual serviceis activated with its default resource profile. This table provides the resource profiles details for Cisco 4000Series ISR and Cisco Cloud Services Router 1000v Series.

PlatformRequirements

Virtual Service Resource RequirementsProfilePlatform

MemorySystem CPU

Min: 8GB (RAM)

Min:8GB(Disk/Flash)

Min: 1GB (RAM)

Min: 750MB(Disk/Flash)

50%DefaultCisco 4321 ISR

Min: 8GB (RAM)

Min:8GB(Disk/Flash)

Min: 1GB (RAM)


25%Low (Default)Cisco 4331 ISR

Min: 8GB (RAM)

Min:8GB(Disk/Flash)

Min: 2GB (RAM)

Min: 1GB (Disk/Flash)

50%Medium

Min: 8GB (RAM)

Min:8GB(Disk/Flash)

Min: 4GB (RAM)


75%High


Snort IPSVirtual Service Resource Profile



MemorySystem CPU

Min: 8GB (RAM)

Min:8GB(Disk/Flash)

Min: 1GB (RAM)



Min: 8GB (RAM)

Min:8GB(Disk/Flash)

Min: 2GB (RAM)


50%Medium

Min: 8GB (RAM)

Min:8GB(Disk/Flash)

Min: 4GB (RAM)


75%High

Min: 8GB (RAM)

Min:8GB(Disk/Flash)

Min: 1GB (RAM)



Min: 8GB (RAM)

Min:8GB(Disk/Flash)

Min: 2GB (RAM)


50%Medium

Min: 12GB (RAM)

Min:12GB(Disk/Flash)

Min: 4GB (RAM)


75%High

Min: 8GB (RAM)

Min:8GB(Disk/Flash)

Min: 1GB (RAM)



Min: 8GB (RAM)

Min:8GB(Disk/Flash)

Min: 2GB (RAM)


50%Medium

Min: 12GB (RAM)


Min: 4GB (RAM)


75%High





MemorySystem CPU

Min: 8GB (RAM)

Min:8GB(Disk/Flash)

Min: 1GB (RAM)


25%Low (Default)Cisco CSR 1000V

Min: 8GB (RAM)

Min:8GB(Disk/Flash)

Min: 2GB (RAM)


50%Medium

Min: 12GB (RAM)


Min: 3GB (RAM)


75%High



Deploying Snort IPSThe figure illustrates a Snort IPS deployment scenario:

Figure 1: Snort IPS Deployment Scenario

The following steps describes the deployment of the Snort IPS solution:

• The Snort OVA file is copied to Cisco routers, installed, and then activated.

• Signature packages are downloaded either from Cisco.com or a configured local server to Cisco routers.

• Network intrusion detection or prevention functionality is configured.

• The Alert/Reporting server is configured to receive alerts from the Snort sensor.

How to Deploy Snort IPSTo deploy Snort IPS on supported devices, perform the following tasks:

1 Provision the device.Identify the device to install the Snort IPS feature.


Snort IPSDeploying Snort IPS

2 Obtain the license.The Snort IPS functionality is available only in Security Packages which require a security license toenable the service. This feature is available in Cisco IOS XE Release 3.16.1S, 3.17S, and later releases.

Contact Cisco Support to obtain the license.Note

3 Install the Snort OVA file.4 Configure VirtualPortGroup interfaces and virtual-service.5 Activate the Snort virtual container service.6 Configure Snort IPS or IDS mode and policy.7 Configure the reporting of events to an external alert/log server or IOS syslog or both.8 Configure the Signature update method.9 Update the Signatures.10 Enable IPS globally or on desired interfaces.

Installing the Snort OVA FileAn OVA file is an Open Virtualization Archive that contains a compressed, installable version of a virtualmachine. The Snort IPS is available as a virtual container service. You must download this OVA file on tothe router and use the virtual-service install CLI to install the service.

The service OVA file is not bundled with the Cisco IOS XE Release images that are installed on the router.However, the OVA files may be preinstalled in the flash of the router.

You must use a Cisco IOS XE image with security license. During the OVA file installation, the securitylicense is checked and an error is reported if the license is not present.

SUMMARY STEPS

1. enable2. virtual-service install name virtual-service-name package file-urlmedia file-system3. show virtual-service list

DETAILED STEPS

PurposeCommand or Action

Enables privileged EXEC mode.enable

Example:Device> enable

Step 1

• Enter your password if prompted.

Installs an application on the virtual services container of a device.virtual-service install name virtual-service-namepackage file-urlmedia file-system

Step 2

• The length of the name is 20 characters. Hyphen (-) is not avalid character.

Example:Device# virtual-service install name UTDIPSpackage harddisk:utd-ips-v102.ova mediaharddisk:

• You must specify the complete path of the OVA package tobe installed.


Snort IPSInstalling the Snort OVA File


OVA installation works on both hard disk and bootflash,the preferred filesystem to install the OVA will be harddisk.

Note

Displays the status of the installation of all applications installed onthe virtual service container.

show virtual-service list

Example:Device# show virtual-service list

Step 3

Configuring VirtualPortGroup Interfaces and Virtual ServiceYou must configure two VirtualPortGroup interfaces and configure guest IP addresses for both interfaces.However, if you configure a management interface by using the vnic management GigabitEthernet0command, then do not configure the guest IP address for the first VirtualPortGroup interface.

The VirtualPortGroup interface for data traffic must use a private or nonroutable IP address.We recommendthe use of 192.0.2.0/30 IP address range for this interface.

Note


Snort IPSConfiguring VirtualPortGroup Interfaces and Virtual Service

SUMMARY STEPS

1. enable2. configure terminal3. interface VirtualPortGroup number4. ip address ip-address mask5. exit6. interface type number7. ip address ip-address mask8. exit9. virtual-service name10. profile profile-name11. vnic gateway VirtualPortGroup interface-number12. guest ip address ip-address13. exit14. vnic gateway VirtualPortGroup interface-number15. guest ip address ip-address16. exit17. vnic management GigabitEthernet018. guest ip address ip-address19. exit20. activate21. end

DETAILED STEPS




Step 1


Enters global configuration mode.configure terminal

Example:Device# configure terminal

Step 2

Configures an interface and enters interface configuration mode.interface VirtualPortGroup number

Example:Device(config)# interfaceVirtualPortGroup 0

Step 3

• Configure a VirtualPortGroup interface. This interface is usedfor management traffic when the management interfaceGigabitEthernet0 is not used.




Sets a primary IP address for an interface. This interface needs to beroutable to the signature update server and external log server.

ip address ip-address mask

Example:Device(config-if)# ip address 10.1.1.1255.255.255.252

Step 4

Exits interface configuration mode and returns to global configurationmode.

exit

Example:Device(config-if)# exit

Step 5

Configures an interface and enters interface configuration mode.interface type number

Example:Device(config)# interfaceVirtualPortGroup 1

Step 6

• Configure a VirtualPortGroup interface.

• This interface is used for data traffic.

Sets a primary IP address for an interface.ip address ip-address mask

Example:Device(config-if)# ip address 192.0.2.1255.255.255.252

Step 7

• This IP address should not be routable to the outside network.

• The IP address is assigned from the recommended 192.0.2.0/30subnet.

Exits interface configuration mode and returns to global configurationmode.

exit


Step 8

Configures a virtual container service and enters virtual serviceconfiguration mode.

virtual-service name

Example:Device(config)# virtual-service UTDIPS

Step 9

• The name argument is the logical name that is used to identifythe virtual container service.

(Optional) Configures a resource profile. If you do not configure theresource profile, the virtual service is activated with its default resourceprofile. The options are: low, medium, and high.

profile profile-name

Example:Device(config-virt-serv)#profile high

Step 10

Creates a virtual network interface card (vNIC) gateway interface forthe virtual container service, maps the vNIC gateway interface to the

vnic gateway VirtualPortGroupinterface-number

Step 11

virtual port group, and enters the virtual-service vNIC configurationmode.Example:

Device(config-virt-serv)# vnic gatewayVirtualPortGroup 0 • The interface referenced in this command must be the one

configured in Step 3. This command maps the interface that isused for management purposes.




(Optional) Configures a guest vNIC address for the vNIC gatewayinterface.

guest ip address ip-address

Example:Device(config-virt-serv-vnic)# guestip address 10.1.1.2

Step 12

• Configure this command only if the vnic managementgigabitethernet0 command specified in Step 17 is notconfigured.

Note

Exits virtual-service vNIC configuration mode and returns to virtualservice configuration mode.

exit

Example:Device(config-virt-serv-vnic)# exit

Step 13

Creates a vNIC gateway interface for the virtual container service,maps the vNIC gateway interface to the virtual port group, and entersthe virtual-service vNIC configuration mode.

vnic gateway VirtualPortGroupinterface-number

Example:Device(config-virt-serv)# vnic gatewayVirtualPortGroup 1

Step 14

• This interface referenced in this command must be the oneconfigured in Step 6. This command maps the interface in thevirtual container service that is used by Snort for monitoring theuser traffic.

Configures a guest vNIC address for the vNIC gateway interface.guest ip address ip-address


Step 15


exit


Step 16

(Optional) Configures the GigabitEthernet interface as the vNICmanagement interface.

vnic management GigabitEthernet0

Example:Device(config-virt-serv)# vnicmanagement GigabitEthernet0

Step 17

• The management interface must either be a VirtualPortGroupinterface or GibagitEthernet0 interface.

• If you do not configure the vnicmanagementGigabitEthernet0command, then you must configure the guest ip addresscommand specified in Step 12.

(Optional) Configures a guest vNIC address for the vNICmanagementinterface and it must be in the same subnet as the management interfaceand GigabitEthernet0 configuration.

guest ip address ip-address


Step 18


exit


Step 19




Activates an application installed in a virtual container service.activate

Example:Device(config-virt-serv)# activate

Step 20

Exits virtual service configuration mode and returns to privilegedEXEC mode.

end

Example:Device(config-virt-serv)# end

Step 21

Configuring Snort IPS GloballyBased on your requirements, configure the Intrusion Prevention System (IPS) or Intrusion Detection System(IDS) inspection at a global level or at an interface. Perform this task to configure IPS globally on a device.

The term global refers to Snort IPS running on all supported interfaces.Note


Snort IPSConfiguring Snort IPS Globally

SUMMARY STEPS

1. enable2. configure terminal3. utd threat-inspection whitelist4. signature id signature-id [comment description]5. exit6. utd engine standard7. logging {server hostname [syslog] | syslog}8. threat-inspection9. threat {detection | protection }10. policy {balanced | connectivity | security}11. whitelist12. signature update occur-at {daily |monthly day-of-month | weekly day-of-week} hour minute13. signature update server {cisco | url url } [username username [password password]]14. logging level {alert | crit | debug | emerg | err | info | notice | warning}15. exit16. utd17. redirect interface virtualPortGroup interface-number18. all-interfaces19. engine standard20. fail close21. exit22. end

DETAILED STEPS




Step 1

• Enter you password if prompted.



Step 2

(Optional) Enables the UTD whitelist configuration mode.utd threat-inspection whitelist

Example:Device(config)# utd threat-inspectionwhitelist

Step 3

Configures signature IDs to be whitelisted.signature id signature-id [comment description]Step 4




Example:Device(config-utd-whitelist)# signature id24245 comment traffic from branchoffice1

• Signature IDs can be copied from alerts that needs to besuppressed.

• You can configure multiple signature IDs.

• Repeat this step for each signature ID that needs to bewhitelisted.

Exits UTD whitelist configuration mode and returns to globalconfiguration mode.

exit

Example:Device(config-utd-whitelist)# exit

Step 5

Configures the unified threat defense (UTD) standard engineand enters UTD standard engine configuration mode.

utd engine standard

Example:Device(config)# utd engine standard

Step 6

Enables the logging of emergency messages to a server.logging {server hostname [syslog] | syslog}

Example:Device(config-utd-eng-std)# logging serversyslog.yourcompany.com

Step 7

Configures threat inspection for the Snort engine.threat-inspection

Example:Device(config-utd-eng-std)# threat-inspection

Step 8

Configures threat detection or Intrusion Prevention System(IPS) as the operating mode for the Snort engine.

threat {detection | protection }

Example:Device(config-utd-eng-std-insp)# threatprotection

Step 9

• The default is detection.

• Configure the detection keyword to configure IntrusionDetection System (IDS).

Configures the security policy for the Snort engine.policy {balanced | connectivity | security}Step 10

Example:Device(config-utd-eng-std-insp)# policysecurity

• The default policy option is balanced.

(Optional) Enables whitelisting under the UTD engine.whitelist

Example:Device(config-utd-eng-std-insp)# whitelist

Step 11

Configures the signature update interval parameters. Thisconfiguration will trigger the signature update to occur atmidnight.

signature update occur-at {daily |monthlyday-of-month | weekly day-of-week} hour minute

Example:Device(config-utd-eng-std-insp)# signatureupdate occur-at daily 0 0

Step 12




Configures the signature update server parameters. You mustspecify the signature update parameters with the server details.

signature update server {cisco | url url }[username username [password password]]

Step 13

If you use Cisco.com for signature updates, you must provideExample:Device(config-utd-eng-std-insp)# signatureupdate server cisco username abcd passwordcisco123

the username and password. If you use local server for signatureupdates, based on the server settings you can provide theusername and password.

Enables the log level.logging level {alert | crit | debug | emerg | err | info| notice | warning}

Step 14

Example:Device(config-utd-eng-std-insp)# logginglevel emerg

Exits UTD standard engine configuration mode and returns toglobal configuration mode.

exit

Example:Device(config-utd-eng-std-insp)# exit

Step 15

Enables unified threat defense (UTD) and enters UTDconfiguration mode.

utd

Example:Device(config)# utd

Step 16

(Optional) Redirects to a VirtualPortGroup interface. This isthe data traffic interface. If you do not configure this interface,it is auto-detected.

redirect interface virtualPortGroupinterface-number

Example:Device(config-utd)# redirect interfacevirtualPortGroup 1

Step 17

Configures UTD on all Layer 3 interfaces of the device.all-interfaces

Example:Device(config-utd)# all-interfaces

Step 18

Configures the Snort-based unified threat defense (UTD) engineand enters standard engine configuration mode.

engine standard

Example:Device(config-utd)# engine standard

Step 19

(Optional) Defines the action when there is a UTD enginefailure. Default option is fail-open. Fail-close option drops all

fail close

Example:Device(config-engine-std)# fail close

Step 20

the IPS/IDS traffic when there is an UTD engine failure.Fail-open option allows all the IPS/IDS traffic when there isan UTD engine failure.

Exits standard engine configuration mode and returns to globalconfiguration mode.

exit

Example:Device(config-eng-std)# exit

Step 21




Exits UTD configuration mode and returns to globalconfiguration mode.

end

Example:Device(config-utd)# end

Step 22

Configuring Snort IDS Inspection GloballyBased on your requirements, configure either Intrusion Prevention System (IPS) or Intrusion Detection System(IDS) inspection at a global level or at an interface level. Perform this task to configure IDS on a per-interfacebasis.

SUMMARY STEPS

1. enable2. configure terminal3. interface type number4. utd enable5. exit6. Repeat Steps 3 to 5, on all interfaces that require inspection.7. utd threat-inspection whitelist8. signature id signature-id [comment description]9. exit10. utd engine standard11. logging {server hostname [syslog] | syslog}12. threat-inspection13. threat {detection | protection }14. policy {balanced | connectivity | security}15. whitelist16. signature update occur-at {daily |monthly day-of-month | weekly day-of-week} hour minute17. signature update server {cisco | url url} [username username [password password]]18. logging level {alert | crit | debug | emerg | err | info | notice | warning}19. exit20. utd21. redirect interface virtualPortGroup interface-number22. engine standard23. exit24. end


Snort IPSConfiguring Snort IDS Inspection Globally

DETAILED STEPS




Step 1

• Enter you password if prompted.



Step 2

Configures an interface and enters interface configurationmode.

interface type number

Example:Device(config)# interface gigabitethernet0/0/0

Step 3

Enables unified threat defense (UTD).utd enable

Example:Device(config-if)# utd enable

Step 4

Exits interface configuration mode and returns to globalconfiguration mode.

exit


Step 5

–Repeat Steps 3 to 5, on all interfaces that requireinspection.

Step 6

(Optional) Enables the UTD whitelist configuration mode.utd threat-inspection whitelist

Example:Device(config)# utd threat-inspectionwhitelist

Step 7

Configures signature IDs to be whitelisted.signature id signature-id [comment description]Step 8

Example:Device(config-utd-whitelist)# signature id24245 comment traffic from branchoffice1

• Signature IDs can be copied from alerts that needs tobe suppressed.

• You can configure multiple signature IDs.

• Repeat this step for each signature ID that needs to bewhitelisted.

Exits UTDwhitelist configurationmode and returns to globalconfiguration mode.

exit

Example:Device(config-utd-whitelist)# exit

Step 9




Configures the unified threat defense (UTD) standard engineand enters UTD standard engine configuration mode.

utd engine standard

Example:Device(config)# utd engine standard

Step 10

Enables the logging of critical messages to the IOSd syslog.logging {server hostname [syslog] | syslog}

Example:Device(config-utd-eng-std)# logging syslog

Step 11

Configures threat inspection for the Snort engine.threat-inspection

Example:Device(config-utd-eng-std)# threat-inspection

Step 12

Configures threat protection or Intrusion Detection System(IDS) as the operating mode for the Snort sensor.

threat {detection | protection }

Example:Device(config-utd-eng-std-insp)# threatdetection

Step 13

• Configure the protection keyword to configureIntrusion Prevention System (IPS).

Configures the security policy for the Snort sensor.policy {balanced | connectivity | security}

Example:Device(config-utd-eng-std-insp)# policybalanced

Step 14

(Optional) Enables whitelisting of traffic.whitelist

Example:Device(config-utd-eng-std-insp)# whitelist

Step 15

Configures the signature update interval parameters. Thisconfiguration will trigger the signature update to occur atmidnight.

signature update occur-at {daily |monthlyday-of-month | weekly day-of-week} hour minute

Example:Device(config-utd-eng-std-insp)# signatureupdate occur-at daily 0 0

Step 16

Configures the signature update server parameters. Youmustspecify the signature update parameters with the server

signature update server {cisco | url url} [usernameusername [password password]]

Step 17

details. If you use Cisco.com for signature updates, you mustExample:Device(config-utd-eng-std-insp)# signatureupdate server cisco username abcd passwordcisco123

provide the username and password. If you use local serverfor signature updates, based on the server settings you canprovide the username and password.

Enables the log level.logging level {alert | crit | debug | emerg | err | info| notice | warning}

Step 18

Example:Device(config-utd-eng-std-insp)# logging levelcrit




Exits UTD standard engine configuration mode and returnsto global configuration mode.

exit

Example:Device(config-utd-eng-std-insp)# exit

Step 19

Enables unified threat defense (UTD) and enters UTDconfiguration mode.

utd

Example:Device(config)# utd

Step 20

(Optional) Redirects to a VirtualPortGroup interface. Thisis the data traffic interface. If you do not configure thisinterface, it is auto-detected.

redirect interface virtualPortGroupinterface-number

Example:Device(config-utd)# redirect interfacevirtualPortGroup 1

Step 21

Configures the Snort-based unified threat defense (UTD)engine and enters standard engine configuration mode.

engine standard

Example:Device(config-utd)# engine standard

Step 22

Exits standard engine configuration mode and returns toglobal configuration mode.

exit

Example:Device(config-eng-std)# exit

Step 23

Exits UTD configuration mode and returns to globalconfiguration mode.

end

Example:Device(config-utd)# end

Step 24

Displaying the List of Active SignaturesActive signatures are the ones that prompt Snort IDS/IPS to take action against threats. If the traffic matcheswith any of the active signatures, Snort container triggers alert in the IDS mode, and drops the traffic in theIPS mode.

The utd threat-inspection signature active-list write-to bootflash: file name command provides a list ofactive signatures and a summary of the total number of active signatures, drop signatures, and alert signatures.

Configuration Examples for Snort IPS

Example: Configuring VirtualPortGroup Interfaces and Virtual ServiceDevice# configure terminalDevice(config)# interface VirtualPortGroup 0


Snort IPSDisplaying the List of Active Signatures

Device(config-if)# ip address 10.1.1.1 255.255.255.252Device(config-if)# exitDevice(config)# interface VirtualPortGroup 1Device(config-if)# ip address 192.0.2.1 255.255.255.252Device(config-if)# exitDevice(config)# virtual-service UTDIPSDevice(config-virt-serv)# vnic gateway VirtualPortGroup 0Device(config-virt-serv-vnic)# exitDevice(config-virt-serv)# vnic gateway VirtualPortGroup 1Device(config-virt-serv-vnic)# guest ip address 192.0.2.2Device(config-virt-serv-vnic)# exitDevice(config-virt-serv)# vnic management GigabitEthernet0Device(config-virt-serv-vnic)# guest ip address 209.165.201.1Device(config-virt-serv-vnic)# exitDevice(config-virt-serv)# activateDevice(config-virt-serv-vnic)# end

Example: Configuring a Different Resource ProfileDevice# configure terminalDevice(config)# virtual-service UTDIPSDevice(config-virt-serv)# no activate*Sep 7 13:57:04.660 IST: %VIRT_SERVICE-5-ACTIVATION_STATE: Successfullydeactivated virtual service UTDIPSDevice(config-virt-serv)# profile mediumDevice(config-virt-serv)# activateDevice(config-virt-serv)# end

Example: Configuring UTD with Operation Mode IPS and Policy SecurityThe following example shows how to configure the UTD with operation mode IPS and policy security:Device# configure terminalDevice(config)# utd engine standardDevice(config-utd-eng-std)# threat-inspectionDevice(config-utd-eng-std-insp)# threat protectionDevice(config-utd-eng-std-insp)# policy securityDevice(config-utd-eng-std)# endDevice#

Example: Configuring Snort IPS GloballyThe following example shows how to configure Intrusion Prevention System (IPS) globally on a device:Device# configure terminalDevice(config)# utd engine standardDevice(config-utd-eng-std)# threat-inspectionDevice(config-utd-eng-std-insp)# threat protectionDevice(config-utd-eng-std-insp)# policy securityDevice(config-utd-eng-std)# exitDevice(config)# utdDevice(config-utd)# all-interfacesDevice(config-utd)# engine standardDevice(config-utd-whitelist)# endDevice#


Snort IPSExample: Configuring a Different Resource Profile

Example: Configuring Snort IPS Inspection per InterfaceThe following example shows how to configure Snort Intrusion Detection System (IDS) on a per-interfacebasis:Device# configure terminalDevice(config)# utd engine standardDevice(config-utd-eng-std)# threat-inspectionDevice(config-utd-eng-std-insp)# threat detectionDevice(config-utd-eng-std-insp)# policy securityDevice(config-utd-eng-std)# exitDevice(config)# utdDevice(config-utd)# engine standardDevice(config-eng-std)# exitDevice(config)# interface gigabitethernet 0/0/0Device(config-if)# utd enableDevice(config-if)# exit

Example: Configuring UTD with VRF on both Inbound and Outbound InterfaceDevice# configure terminalDevice(config)# vrf definition VRF1Device(config-vrf)# rd 100:1Device(config-vrf)# route-target export 100:1Device(config-vrf)# route-target import 100:1Device(config-vrf)# route-target import 100:2!Device(config-vrf)# address-family ipv4Device(config-vrf-af)# exit!Device(config-vrf)# address-family ipv6Device(config-vrf-af)# exit!Device(config-vrf-af)# vrf definition VRF2Device(config-vrf)# rd 100:2Device(config-vrf)# route-target export 100:2Device(config-vrf)# route-target import 100:2Device(config-vrf)# route-target import 100:1!Device(config-vrf)# address-family ipv4Device(config-vrf-af)# exit!Device(config-vrf)# address-family ipv6Device(config-vrf-af)# exit!Device(config-vrf)# interface VirtualPortGroup0Device(config-if)# ip address 192.0.0.1 255.255.255.0Device(config-if)# no mop enabledDevice(config-if)# no mop sysid!Device(config-if)# interface VirtualPortGroup1Device(config-if)# ip address 192.0.0.1 255.255.255.0Device(config-if)# no mop enabledDevice(config-if)# no mop sysid!Device(config-if)# interface GigabitEthernet0/0/2Device(config-if)# vrf forwarding VRF1Device(config-if-vrf)# ip address 192.1.1.5 255.255.255.0Device(config-if-vrf)# ipv6 address A000::1/64!Device(config-if)# interface GigabitEthernet0/0/3Device(config-if)# vrf forwarding VRF2Device(config-if-vrf)# ip address 192.1.1.5 255.255.255.0Device(config-if-vrf)# ipv6 address B000::1/64!Device(config-if-vrf)# router bgp 100


Snort IPSExample: Configuring Snort IPS Inspection per Interface

Device(config-if-vrf)# bgp log-neighbor-changes!Device(config-vrf)# address-family ipv4 vrf VRF1Device(config-vrf-af)# redistribute connectedDevice(config-vrf-af)# redistribute staticDevice(config-vrf-af)# exit!Device(config-vrf)# address-family ipv6 vrf VRF1Device(config-vrf-af)# redistribute connectedDevice(config-vrf-af)# redistribute staticDevice(config-vrf-af)# exit!Device(config-vrf)# address-family ipv4 vrf VRF2Device(config-vrf-af)# redistribute connectedDevice(config-vrf-af)# redistribute staticDevice(config-vrf-af)# exit!Device(config-vrf)# address-family ipv6 vrf VRF2Device(config-vrf-af)# redistribute connectedDevice(config-vrf-af)# redistribute staticDevice(config-vrf-af)# exit!Device(config)# utdDevice(config-utd)# all-interfacesDevice(config-utd)# engine standard!Device(config)# utd engine standardDevice(config-utd-eng-std)# logging syslogDevice(config-utd-eng-std)# threat-inspectionDevice(config-utd-engstd-insp)# threat protectionDevice(config-utd-engstd-insp)# policy security

!Device(config)# virtual-service utdDevice(config-virt-serv)# profile lowDevice(config-virt-serv)# vnic gateway VirtualPortGroup0Device(config-virt-serv-vnic)# guest ip address 47.0.0.2Device(config-virt-serv-vnic)# exitDevice(config-virt-serv)# vnic gateway VirtualPortGroup1Device(config-virt-serv-vnic)# guest ip address 48.0.0.2Device(config-virt-serv-vnic)# exitDevice(config-virt-serv)# activate

UTD Snort IPS Drop Log============================2016/06/13-14:32:09.524475 IST [**] [Instance_ID: 1] [**] Drop [**][1:30561:1] BLACKLIST DNS request for known malwaredomain domai.ddns2.biz - Win.Trojan.Beebone [**][Classification: A Network Trojan was Detected][Priority: 1] [VRF_ID: 2] {UDP} 11.1.1.10:58016 -> 21.1.1.10:53

Example: Configuring Logging IOS SyslogThe following example shows how to configure logging IOS syslog with the log levels on a device:Device# configure terminalDevice(config)# utd engine standardDevice(config-utd-eng-std)# logging syslogDevice(config-utd-eng-std)# threat-inspectionDevice(config-utd-engstd-insp)# logging level debugDevice(config-utd-eng-std-insp)# endDevice#


Snort IPSExample: Configuring Logging IOS Syslog

Example: Configuring Logging to Centralized Log ServerThe following example shows how to configure logging to a centralized log server:Device# configure terminalDevice(config)# utd engine standardDevice(config-utd-eng-std-insp)# logging server syslog.yourcompany.comDevice(config-utd-eng-std)# threat-inspectionDevice(config-utd-eng-std-insp)# logging level infoDevice(config-utd-eng-std-insp)# endDevice#

Example: Configuring Signature Update from a Cisco ServerThe following example shows how to configure the signature update from a Cisco server :Device# configure terminalDevice(config)# utd engine standardDevice(config-utd-eng-std)# threat-inspectionDevice(config-utd-eng-std-insp)# signature update server cisco username CCOuser passwordpasswd123Device(config-utd-eng-std-insp)# endDevice#

Ensure that the DNS is configured to download signatures from the Cisco server.Note

Example: Configuring Signature Update from a Local ServerThe following example shows how to configure the signature update from a local server:Device# configure terminalDevice(config)# utd engine standardDevice(config-utd-eng-std)# threat-inspectionDevice(config-utd-eng-std-insp)# signature update server url http://192.168.1.2/sig-1.pkgDevice(config-utd-eng-std-insp)# endDevice#

Example: Configuring Automatic Signature UpdateThe following example shows how to configure the automatic signature update on a server:Device# configure terminalDevice(config)# utd engine standardDevice(config-utd-eng-std)# threat-inspectionDevice(config-utd-eng-std-insp)# signature update occur-at daily 0 0Device(config-utd-eng-std-insp)# signature update server cisco username abcd passwordcisco123Device(config-utd-eng-std-insp)# endDevice#

When the signature update is not in detail, you can get the signature update from the server.Note


Snort IPSExample: Configuring Logging to Centralized Log Server

Example: Performing Manual Signature UpdateThe following example shows how to perform a manual signature update:Device# utd threat-inspection signature update

It takes the existing server configuration to download fromor the explicit server information configured with it.

These commands perform a manual signature update with the below settings:

Device#show utd engine standard threat-inspection signature update statusCurrent Signature package version: 2982.2.sCurrent Signature package name: UTD-STD-SIGNATURE-2982-2-S.pkgPrevious Signature package version: 29.0.cLast update status: SuccessfulLast failure Reason: NoneLast successful update method: AutoLast successful update server: ciscoLast successful update time: Fri Jul 1 05:15:43 2016 PDTLast successful update speed: 2656201 bytes in 42 secsLast failed update method: ManualLast failed update server: ciscoLast failed update time: Fri Jul 1 16:51:23 2016 ISTLast attempted update method: AutoLast attempted update server: ciscoLast attempted update time: Fri Jul 1 05:15:43 2016 PDTTotal num of updates successful: 1Num of attempts successful: 1Num of attempts failed: 5Total num of attempts: 6Next update scheduled at: NoneCurrent Status: Idle

Device# utd threat-inspection signature update server cisco username ccouser passwordpasswd123Device# utd threat-inspection signature update server url http://192.168.1.2/sig-1.pkg

Example: Configuring Signature WhitelistThe following example shows how to configure signature whitelist:Device# configure terminalDevice(config)# utd threat-inspection whitelistDevice(config-utd-whitelist)# signature id 23456 comment "traffic from client x"Device(config-utd-whitelist)# exitDevice(config)# utd engine standardDevice(config-utd-eng-std)# whitelistDevice(config-utd-eng-std)# endDevice#

After the whitelist signature ID is configured, Snort will allow the flow to pass through the device withoutany alerts and drops.

Note


Snort IPSExample: Performing Manual Signature Update

Examples for Displaying Active Signatures

Example: Displaying Active Signatures List With Balanced PolicyDevice# utd threat-inspection signature active-list write-to bootflash:siglist_balancedDevice# more bootflash:siglist_balanced=================================================================================Signature Package Version: 2982.1.sSignature Ruleset: BalancedTotal no. of active signatures: 7884Total no. of drop signatures: 7389Total no. of alert signatures: 495

For more details of each signature please go to www.snort.org/rule_docs to lookup=================================================================================

List of Active Signatures:--------------------------<snipped>

Example: Displaying Active Signatures List With Security PolicyDevice# utd threat-inspection signature active-list write-to bootflash:siglist_securityDevice# more bootflash:siglist_security=================================================================================Signature Package Version: 2982.1.sSignature Ruleset: SecurityTotal no. of active signatures: 11224Total no. of drop signatures: 10220Total no. of alert signatures: 1004

For more details of each signature please go to www.snort.org/rule_docs to lookup=================================================================================

List of Active Signatures:--------------------------<snipped>

Example: Displaying Active Signatures List With Connectivity PolicyDevice# utd threat-inspection signature active-list write-to bootflash:siglist_connectivityDevice# more bootflash:siglist_connectivity=================================================================================Signature Package Version: 2982.1.sSignature Ruleset: ConnectivityTotal no. of active signatures: 581Total no. of drop signatures: 452Total no. of alert signatures: 129

For more details of each signature please go to www.snort.org/rule_docs to lookup=================================================================================List of Active Signatures:--------------------------<snipped>


Snort IPSExamples for Displaying Active Signatures

Verifying the Integrated Snort IPS ConfigurationUse the following commands to troubleshoot your configuration.

SUMMARY STEPS

1. enable2. show virtual-service list3. show virtual-service detail4. show service-insertion type utd service-node-group5. show service-insertion type utd service-context6. show utd engine standard config7. show utd engine standard status8. show utd engine standard threat-inspection signature update status9. show utd engine standard logging events10. clear utd engine standard logging events11. show platform hardware qfp active feature utd config12. show platform software utd global13. show platform software utd interfaces14. show platform hardware qfp active feature utd stats15. show utd engine standard statistics daq all

DETAILED STEPS

Step 1 enable

Example:Device> enableEnables privileged EXEC mode.


Step 2 show virtual-service listDisplays the status of the installation of all applications on the virtual service container.

Example:Device# show virtual-service list

Virtual Service List:

Name Status Package Name------------------------------------------------------------------------------UTDIPS Activated utdsnort.1_0_1_SV2982_XE_16_3.20160701_131509.ova

Step 3 show virtual-service detail


Snort IPSVerifying the Integrated Snort IPS Configuration

Displays the resources used by applications installed in the virtual services container of a device.

Example:Device# show virtual-service detail

Device#show virtual-service detailVirtual service UTDIPS detailState : ActivatedOwner : IOSdPackage informationName : utdsnort.1_0_1_SV2982_XE_16_3.20160701_131509.ovaPath : bootflash:/utdsnort.1_0_1_SV2982_XE_16_3.20160701_131509.ovaApplicationName : UTD-Snort-FeatureInstalled version : 1.0.1_SV2982_XE_16_3Description : Unified Threat Defense

SigningKey type : Cisco development keyMethod : SHA-1

LicensingName : Not AvailableVersion : Not Available

Detailed guest status

----------------------------------------------------------------------Process Status Uptime # of restarts----------------------------------------------------------------------climgr UP 0Y 0W 0D 0: 0:35 1logger UP 0Y 0W 0D 0: 0: 4 0snort_1 UP 0Y 0W 0D 0: 0: 4 0Network stats:eth0: RX packets:43, TX packets:6eth1: RX packets:8, TX packets:6

Coredump file(s): lost+found

Activated profile name: NoneResource reservationDisk : 736 MBMemory : 1024 MBCPU : 25% system CPU

Attached devicesType Name Alias---------------------------------------------NIC ieobc_1 ieobcNIC dp_1_0 net2NIC dp_1_1 net3NIC mgmt_1 mgmtDisk _rootfsDisk /opt/varDisk /opt/var/cSerial/shell serial0Serial/aux serial1Serial/Syslog serial2Serial/Trace serial3Watchdog watchdog-2

Network interfacesMAC address Attached to interface------------------------------------------------------54:0E:00:0B:0C:02 ieobc_1A4:4C:11:9E:13:8D VirtualPortGroup0A4:4C:11:9E:13:8C VirtualPortGroup1A4:4C:11:9E:13:8B mgmt_1

Guest interface



---Interface: eth2ip address: 48.0.0.2/24

Interface: eth1ip address: 47.0.0.2/24

---

Guest routes---Address/Mask Next Hop Intf.

-------------------------------------------------------------------------------0.0.0.0/0 48.0.0.1 eth20.0.0.0/0 47.0.0.1 eth1

---

Resource admission (without profile) : passedDisk space : 710MBMemory : 1024MBCPU : 25% system CPUVCPUs : Not specified

Step 4 show service-insertion type utd service-node-groupDisplays the status of service node groups.

Example:Device# show service-insertion type utd service-node-group

Service Node Group name : utd_sng_1Service Context : utd/1Member Service Node count : 1

Service Node (SN) : 30.30.30.2Auto discovered : NoSN belongs to SNG : utd_sng_1Current status of SN : AliveTime current status was reached : Tue Jul 26 11:57:48 2016

Cluster protocol VPATH version : 1Cluster protocol incarnation number : 1Cluster protocol last sent sequence number : 1469514497Cluster protocol last received sequence number: 1464Cluster protocol last received ack number : 1469514496

Step 5 show service-insertion type utd service-contextDisplays the AppNav and service node views.

Example:Device# show service-insertion type utd service-context

Service Context : utd/1Cluster protocol VPATH version : 1Time service context was enabled : Tue Jul 26 11:57:47 2016Current FSM state : OperationalTime FSM entered current state : Tue Jul 26 11:57:58 2016Last FSM state : ConvergingTime FSM entered last state : Tue Jul 26 11:57:47 2016Cluster operational state : Operational

Stable AppNav controller View:30.30.30.1

Stable SN View:



30.30.30.2

Current AppNav Controller View:30.30.30.1

Current SN View:30.30.30.2

Step 6 show utd engine standard configDisplays the unified threat defense (UTD) configuration.

Example:Device# show utd engine standard config

UTD Engine Standard Configuration:Operation Mode : Intrusion PreventionPolicy : Security

Signature Update:Server : ciscoUser Name : ccouserPassword : YEX^SH\fhdOeEGaOBIQAIcOVLgaVGfOccurs-at : weekly ; Days:0 ; Hour: 23; Minute: 50

Logging:Server : IOS Syslog; 10.104.49.223Level : debug

Whitelist Signature IDs:28878

Step 7 show utd engine standard statusDisplays the status of the utd engine.

Example:Device# show utd engine standard statusEngine version : 1.0.1_SV2982_XE_16_3

Profile : HighSystem memory :Usage : 8.00 %Status : GreenNumber of engines : 4

Engine Running CFT flows Health Reason=======================================================Engine(#1): Yes 0 Green NoneEngine(#2): Yes 0 Green NoneEngine(#3): Yes 0 Green NoneEngine(#4): Yes 0 Green None=======================================================

Overall system status: Green

Signature update status:=========================Current Signature package version: 29.0.cCurrent Signature package name: defaultPrevious Signature package version: NoneLast update status: NoneLast failure Reason: None

Step 8 show utd engine standard threat-inspection signature update status



Displays the status of the signature update process.

Example:Device# show utd engine standard threat-inspection signature update status

Current Signature package version: 2982.2.sCurrent Signature package name: UTD-STD-SIGNATURE-2982-2-S.pkgPrevious Signature package version: 29.0.cLast update status: SuccessfulLast failure Reason: NoneLast successful update method: AutoLast successful update server: ciscoLast successful update time: Fri Jul 1 05:15:43 2016 PDTLast successful update speed: 2656201 bytes in 42 secsLast failed update method: ManualLast failed update server: ciscoLast failed update time: Fri Jul 1 16:51:23 2016 ISTLast attempted update method: AutoLast attempted update server: ciscoLast attempted update time: Fri Jul 1 05:15:43 2016 PDTTotal num of updates successful: 1Num of attempts successful: 1Num of attempts failed: 5Total num of attempts: 6Next update scheduled at: NoneCurrent Status: Idle

Step 9 show utd engine standard logging eventsDisplays log events from the Snort sensor.

Example:Device# show utd engine standard logging events

2016/06/13-14:32:09.524475 IST [**] [Instance_ID: 1] [**] Drop [**] [1:30561:1]BLACKLIST DNS request for known malware domain domai.ddns2.biz -Win.Trojan.Beebone [**] [Classification: A Network Trojan was Detected] [Priority: 1][VRF_ID: 2] {UDP} 11.1.1.10:58016 -> 21.1.1.10:532016/06/13-14:32:21.524988 IST [**] [Instance_ID: 1] [**] Drop [**] [1:30561:1]BLACKLIST DNS request for known malware domain domai.ddns2.biz -Win.Trojan.Beebone [**] [Classification: A Network Trojan was Detected] [Priority: 1][VRF_ID: 2] {UDP} a000:0:0:0:0:0:0:10:59964 -> b000:0:0:0:0:0:0:10:53

Step 10 clear utd engine standard logging events

Example:Device# clear utd engine standard logging events

Clears logged events from the Snort sensor.

Step 11 show platform hardware qfp active feature utd configDisplays information about the health of the service node.

Example:Device# show platform hardware qfp active feature utd config

Global configurationNAT64: disabledSN threads: 12CFT inst_id 0 feat id 1 fo id 1 chunk id 8Context Id: 0, Name: Base Security CtxCtx Flags: (0x60000)Engine: Standard



SN Redirect Mode : Fail-open, DivertThreat-inspection: Enabled, Mode: IDSDomain Filtering : Not EnabledURL Filtering : Not EnabledSN Health: Green

Step 12 show platform software utd globalDisplays the interfaces on which UTD is enabled.

Example:Device# show platform software utd global

UTD Global stateEngine : StandardGlobal Inspection : EnabledOperational Mode : Intrusion PreventionFail Policy : Fail-openContainer techonlogy : LXCRedirect interface : VirtualPortGroup1UTD interfacesAll dataplane interfaces

Step 13 show platform software utd interfacesDisplays the information about all interfaces.

Example:Device# show platform software utd interfaces

UTD interfacesAll dataplane interfaces

Step 14 show platform hardware qfp active feature utd statsDisplays dataplane UTD statistics.

Example:Device# show platform hardware qfp active feature utd stats

Security Context: Id:0 Name: Base Security Ctx

Summary Statistics:Pkts entered policy feature pkt 228

byt 31083

Drop Statistics:

Service Node flagged flow for dropping 48Service Node not healthy 62

General Statistics:

Non Diverted Pkts to/from divert interface 32913Inspection skipped - UTD policy not applicable 48892Policy already inspected 2226Pkts Skipped - L2 adjacency glean 1Pkts Skipped - For Us 67Pkts Skipped - New pkt from RP 102Response Packet Seen 891Feature memory allocations 891Feature memory free 891Feature Object Delete 863



Service Node Statistics:SN Health: GreenSN down 85SN health green 47SN health red 13

Diversion Statisticsredirect 2226encaps 2226decaps 2298reinject 2250decaps: Could not locate flow 72Redirect failed, SN unhealthy 62Service Node requested flow bypass drop 48

Step 15 show utd engine standard statistics daq allDisplays serviceplane data acquistion (DAQ) statistics.

Example:Device# show utd engine standard statistics daq all

IOS-XE DAQ Counters(Engine #1):---------------------------------Frames received :0Bytes received :0RX frames released :0Packets after vPath decap :0Bytes after vPath decap :0Packets before vPath decap :0Bytes before vPath decap :0Frames transmitted :0Bytes transmitted :0

Memory allocation :2Memory free :0Merged packet buffer allocation :0Merged packet buffer free :0

VPL buffer allocation :0VPL buffer free :0VPL buffer expand :0VPL buffer merge :0VPL buffer split :0VPL packet incomplete :0

VPL API error :0CFT API error :0Internal error :0External error :0Memory error :0Timer error :0

Kernel frames received :0Kernel frames dropped :0

FO cached via timer :0Cached fo used :0Cached fo freed :0FO not found :0CFT full packets :0

VPL Stats(Engine #1):------------------------



Deploying Snort IPS Using Cisco Prime CLI TemplatesYou can use the Cisco Prime CLI templates to provision the Snort IPS deployment. The Cisco Prime CLItemplates make provisioning Snort IPS deployment simple. To use the Cisco Prime CLI templates to provisionthe Snort IPS deployment, perform these steps:

Step 1 Download the Prime templates from the Software Download page, corresponding to the IOS XE version running onyour system.

Step 2 Unzip the file, if it is a zipped version.

Step 3 From Prime, choose Configuration > Templates > Features and Technologies, select CLI Templates.Step 4 Click Import.Step 5 Select the folder where you want to import the templates to and click Select Templates and choose the templates that

you just downloaded to import.The following Snort IPS CLI templates are available:

• Copy OVA to Device—Use this template to copy the Snort IPS OVA file to the router file system.

• Delete OVA—Use this template to delete the copied Snort IPS OVA file from the router file system.

• Dynamic NAT—Use this template if Dynamic NAT (Network Address Translation) is configured in yourenvironment and an Access List is used to select the NAT translation that needs to be modified for Snort IPSManagement Interface IP.

• Dynamic NAT Cleanup—Use this template to delete the NAT configuration for Snort IPS.

• Dynamic PAT—Use this template if Dynamic PAT (Port Address Translation) is configured in your environmentand an Access List is used to select the PAT translation that needs to be modified for Snort IPS ManagementInterface IP.

• Dynamic PAT Cleanup—Use this template to delete the PAT configuration for Snort IPS.

• IP Unnumbered—Use this template to configure Snort IPS and required Virtual-Service for IP Unnumbereddeployment.

• IP Unnumbered Cleanup—Use this template to delete the configured Snort IPS Management interface with IPUnnumbered.

• Management Interface—Use this template if you would like to use System Management interface (e.g.GigabitEthernet0) to route Snort IPS Management traffic.

• Management Interface Cleanup—Use this template to delete the configured System Management interface (e.g.GigabitEthernet0) to route the Snort IPS Management traffic.

• Static NAT—Use this template to configure Snort IPS and required Virtual-Service for existing Static NATdeployment.

• Static NAT Cleanup—Use this template to delete the configured Snort IPS in a Static NAT deployment.

• Upgrade OVA—Use this template to upgrade Snort IPS OVA file.


Snort IPSDeploying Snort IPS Using Cisco Prime CLI Templates

https://software.cisco.com/download/release.html?mdfid=286006221&softwareid=286285284&release=3.16.1aS&relind=AVAILABLE&rellifecycle=&reltype=latest

Troubleshooting Snort IPS

Traffic is not DivertedProblem Traffic is not diverted.

Possible Cause Vitual-service may not be activated.

Solution Check whether the virtual-service is activated by using the show virtual-service list command. Thefollowing is sample output from the command:Device# show virtual-service list

Virtual Service List:

Name Status Package Name------------------------------------------------------------------------------snort Activated utdsnort.1_0_1_SV2982_XE_16_3.20160701_131509.ova

Possible Cause Unified threat defense (UTD) may not be enabled for specified interface or interfaces.

Solution Use the show platform software utd global command to verify if UTD is enabled for the interface:Device# show platform software utd global

UTD Global stateEngine : StandardGlobal Inspection : DisabledOperational Mode : Intrusion PreventionFail Policy : Fail-openContainer techonlogy : LXCRedirect interface : VirtualPortGroup1UTD interfacesGigabitEthernet0/0/0

Possible Cause The service node may not be working properly.

Solution Use the show platform hardware qfp active feature utd config command to verify if the health ofthe service node is green:Device# show platform hardware qfp active feature utd config

Global configurationNAT64: disabledSN threads: 12CFT inst_id 0 feat id 0 fo id 0 chunk id 4Context Id: 0, Name: Base Security CtxCtx Flags: (0x60000)Engine: StandardSN Redirect Mode : Fail-open, DivertThreat-inspection: Enabled, Mode: IDSDomain Filtering : Not EnabledURL Filtering : Not EnabledSN Health: Green


Snort IPSTroubleshooting Snort IPS

Possible Cause The Snort process may not be activated.

Solution Use the show virtual-service detail command to verify if the Snort process is up and running:Device# show virtual-service detail

Virtual service UTDIPS detailState : ActivatedOwner : IOSdPackage informationName : utdsnort.1_0_1_SV2982_XE_16_3.20160701_131509.ovaPath : bootflash:/utdsnort.1_0_1_SV2982_XE_16_3.20160701_131509.ovaApplicationName : UTD-Snort-FeatureInstalled version : 1.0.1_SV2982_XE_16_3Description : Unified Threat Defense

SigningKey type : Cisco development keyMethod : SHA-1

LicensingName : Not AvailableVersion : Not Available

Detailed guest status

----------------------------------------------------------------------Process Status Uptime # of restarts----------------------------------------------------------------------climgr UP 0Y 0W 0D 0: 0:35 1logger UP 0Y 0W 0D 0: 0: 4 0snort_1 UP 0Y 0W 0D 0: 0: 4 0Network stats:eth0: RX packets:43, TX packets:6eth1: RX packets:8, TX packets:6

Coredump file(s): lost+found

Activated profile name: NoneResource reservationDisk : 736 MBMemory : 1024 MBCPU : 25% system CPU

Attached devicesType Name Alias---------------------------------------------NIC ieobc_1 ieobcNIC dp_1_0 net2NIC dp_1_1 net3NIC mgmt_1 mgmtDisk _rootfsDisk /opt/varDisk /opt/var/cSerial/shell serial0Serial/aux serial1Serial/Syslog serial2Serial/Trace serial3Watchdog watchdog-2

Network interfacesMAC address Attached to interface------------------------------------------------------54:0E:00:0B:0C:02 ieobc_1A4:4C:11:9E:13:8D VirtualPortGroup0A4:4C:11:9E:13:8C VirtualPortGroup1A4:4C:11:9E:13:8B mgmt_1

Guest interface---Interface: eth2ip address: 48.0.0.2/24

Interface: eth1ip address: 47.0.0.2/24


Snort IPSTraffic is not Diverted

---

Guest routes---Address/Mask Next Hop Intf.

-------------------------------------------------------------------------------0.0.0.0/0 48.0.0.1 eth20.0.0.0/0 47.0.0.1 eth1

---

Resource admission (without profile) : passedDisk space : 710MBMemory : 1024MBCPU : 25% system CPUVCPUs : Not specified

Possible Cause The AppNav tunnel may not be activated.

Solution Use the show service-insertion type utd service-node-group and show service-insertion type utdservice-context commands to verify if the AppNav tunnel is activated.

Solution The following is sample output from the show service-insertion type utd service-node-groupcommand:Device# show service-insertion type utd service-node-group

Service Node Group name : utd_sng_1Service Context : utd/1Member Service Node count : 1

Service Node (SN) : 30.30.30.2Auto discovered : NoSN belongs to SNG : utd_sng_1Current status of SN : AliveTime current status was reached : Tue Jul 26 11:57:48 2016

Cluster protocol VPATH version : 1Cluster protocol incarnation number : 1Cluster protocol last sent sequence number : 1469514497Cluster protocol last received sequence number: 1464Cluster protocol last received ack number : 1469514496

Solution The following is sample output from the show service-insertion type utd service-context command:Device# show service-insertion type utd service-context

Service Context : utd/1Cluster protocol VPATH version : 1Time service context was enabled : Tue Jul 26 11:57:47 2016Current FSM state : OperationalTime FSM entered current state : Tue Jul 26 11:57:58 2016Last FSM state : ConvergingTime FSM entered last state : Tue Jul 26 11:57:47 2016Cluster operational state : Operational

Stable AppNav controller View:30.30.30.1

Stable SN View:30.30.30.2

Current AppNav Controller View:


Snort IPSTraffic is not Diverted

30.30.30.1

Current SN View:30.30.30.2

Possible Cause Check data plane UTD statistics for the status of the traffic. If the traffic is not diverted,the number of packets diverted and rejected will be zero. If the numbers are nonzero, then traffic diversionis happening, and the Snort sensor is resending packets back to the dataplane.

Solution Use the show platform hardware qfp active feature utd stats commands to verify the status of thetraffic.Device# show platform hardware qfp active feature utd stats

Security Context: Id:0 Name: Base Security Ctx

Summary Statistics:Active Connections 29TCP Connections Created 712910UDP Connections Created 80Pkts entered policy feature pkt 3537977

byt 273232057Pkts entered divert feature pkt 3229148

byt 249344841Pkts slow path pkt 712990

byt 45391747Pkts Diverted pkt 3224752

byt 249103697Pkts Re-injected pkt 3224746

byt 249103373….

Signature Update is not WorkingProblem Signature update from Cisco Borderless Software Distribution (BSD) server is not working.

Possible Cause Signature update may have failed due to various reasons. Check for the reason for the lastfailure to update the signatures.

Solution Use the show utd engine standard threat-inspection signature update status command to displaythe reason for the last failure to update the signatures:Device# show utd engine standard threat-inspection signature update status

Current Signature package version: 2982.1.sCurrent Signature package name: UTD-STD-SIGNATURE-2982-1-S.pkgPrevious Signature package version: 2982.2.sLast update status: SuccessfulLast failure Reason: System error-fail to process username & password combination.Last successful update method: ManualLast successful update server: http://10.104.52.159/protected/UTD-STD-SIGNATURE-2982-1-S.pkgLast successful update time: Fri Jul 8 14:21:49 2016 ISTLast successful update speed: 2631532 bytes in 6 secsLast failed update method: AutoLast failed update server: ciscoLast failed update time: Fri Jul 8 14:13:02 2016 ISTLast attempted update method: ManualLast attempted update server: http://10.104.52.159/protected/UTD-STD-SIGNATURE-2982-1-S.pkgLast attempted update time: Fri Jul 8 14:21:49 2016 ISTTotal num of updates successful: 17


Snort IPSSignature Update is not Working

Num of attempts successful: 22Num of attempts failed: 12Total num of attempts: 34Next update scheduled at: NoneCurrent Status: Idle

Possible Cause Domain Name System (DNS) is not configured correctly.

Solution Use the show running-config | i name-server command to display the name server details:Device# show run | i name-server

ip name-server 10.104.49.223

Possible Cause System error—Failed to process the username and password combination.

Solution Ensure that you have provided the correct credentials for signature package download.

Signature Update from the Local Server is not WorkingProblem Signature update from the local server not working.

Possible Cause Last failure Reason: Invalid scheme—only HTTP/HTTPS supported.

Solution Ensure that you have provided the HTTP or secure HTTP (HTTPS) as the local download method.

Possible Cause Last failure Reason: Name or service not known.

Solution Ensure that the hostname or IP address provided for the local server is correct.

Possible Cause Last failure Reason: Credentials not supplied.

Solution Ensure that you have provided the credentials for local HTTP/HTTPS server.

Possible Cause Last failure Reason: File not found.

Solution Ensure that the signature file name or URL that you have provided is correct.

Possible Cause Last failure Reason: Download corrupted.

Solution

• Verify whether the retry signature update is corrupted as the previous signature download.

• Ensure that the correct signature package is available.


Snort IPSSignature Update from the Local Server is not Working

Logging to IOSd Syslog is not WorkingProblem Logging to IOSd syslog is not working.

Possible Cause Logging to syslogmay not be configured in the unified threat defense (UTD) configuration.

Solution Use the show utd engine standard config command to display the UTD configuration and to ensurethat logging to syslog is configured.Device# show utd engine standard config

UTD Engine Standard Configutation:Operation Mode : Intrusion PreventionPolicy : Security

Signature Update:Server : ciscoUser Name : ccouserPassword : YEX^SH\fhdOeEGaOBIQAIcOVLgaVGfOccurs-at : weekly ; Days:0 ; Hour: 23; Minute: 50

Logging:Server : IOS Syslog; 10.104.49.223Level : debug

Whitelist Signature IDs:28878

Solution Use the following show utd engine standard logging events command to display the event logs forthe UTD engine.Device# show utd engine standard logging events

2016/06/13-14:32:09.524475 IST [**] [Instance_ID: 1] [**] Drop [**] [1:30561:1]BLACKLIST DNS request for known malware domain domai.ddns2.biz -Win.Trojan.Beebone [**] [Classification: A Network Trojan was Detected][Priority: 1] [VRF_ID: 2] {UDP} 11.1.1.10:58016 -> 21.1.1.10:532016/06/13-14:32:21.524988 IST [**] [Instance_ID: 1] [**] Drop [**] [1:30561:1]BLACKLIST DNS request for known malware domain domai.ddns2.biz -Win.Trojan.Beebone [**] [Classification: A Network Trojan was Detected] [Priority: 1][VRF_ID: 2] {UDP} a000:0:0:0:0:0:0:10:59964 -> b000:0:0:0:0:0:0:10:53

Logging to an External Server is not WorkingProblem Logging to an external server is not working.

Possible Cause Syslog may not be running on the external server.

Solution Verify whether syslog server is running on the external server. Configure the following commandon the external server to view its status:ps -eaf | grep syslog

root 2073 1 0 Apr12 ? 00:00:02 syslogd -r -m


Snort IPSLogging to IOSd Syslog is not Working

Possible Cause Connectivity between unified threat defense (UTD) Linux Container (LXC) and externalserver may be lost.

Solution Verify the connectivity from the management interface to the external syslog server.

UTD Conditional DebuggingThe Snort IPS feature supports UTD conditional debugging. For details on how to configure conditionaldebugging, see the following URL:

http://www.cisco.com/c/en/us/td/docs/routers/asr1000/troubleshooting/guide/Tblshooting-xe-3s-asr-1000-book.html#task_AC969BB06B414DCBBDEF7ADD29EF8131

Additional References for Snort IPSRelated Documents

Document TitleRelated Topic

Cisco IOS Master Command List, All ReleasesIOS commands

• Cisco IOS Security Command Reference:Commands A to C

• Cisco IOS Security Command Reference:Commands D to L

• Cisco IOS Security Command Reference:Commands M to R

• Cisco IOS Security Command Reference:Commands S to Z

Security commands


Snort IPSUTD Conditional Debugging



http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mcl/allreleasemcl/all-book.html

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-a1-cr-book.html

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-a1-cr-book.html

http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-d1-cr-book.html

http://www.cisco.com/en/US/docs/ios-xml/ios/security/d1/sec-d1-cr-book.html

http://www.cisco.com/en/US/docs/ios-xml/ios/security/m1/sec-m1-cr-book.html

http://www.cisco.com/en/US/docs/ios-xml/ios/security/m1/sec-m1-cr-book.html

http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-s1-cr-book.html

http://www.cisco.com/en/US/docs/ios-xml/ios/security/s1/sec-s1-cr-book.html

Technical Assistance

LinkDescription

http://www.cisco.com/supportThe Cisco Support website provides extensive onlineresources, including documentation and tools fortroubleshooting and resolving technical issues withCisco products and technologies.

To receive security and technical information aboutyour products, you can subscribe to various services,such as the Product Alert Tool (accessed from FieldNotices), the Cisco Technical Services Newsletter,and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support websiterequires a Cisco.com user ID and password.

Feature Information for Snort IPSThe following table provides release information about the feature or features described in this module. Thistable lists only the software release that introduced support for a given feature in a given software releasetrain. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support.To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1: Feature Information for Snort IPS

Feature InformationReleasesFeature Name

The Snort IPS feature, enables Intrusion Prevention System(IPS) and Intrusion Detection System (IDS) for branchoffices on Cisco IOSXE-based platforms. This feature usesthe open source Snort solution to enable IPS and IDS.

Cisco IOS XE 3.16.1S,3.17S and later releases

Snort IPS

Supports Virtual Fragmentation Reassembly (VFR) on SnortIPS configuration.

Cisco IOS XE Denali16.3.1

VRF support onSnort IPS

Cisco Cloud Services Router 1000v Series supports SnotIPS.

Cisco IOS XE Denali16.3.1

Snort IPS support onCisco CloudServices Router1000v Series

The UTD Snort IPS enhancements for 16.4 release adds afeature for displaying the list of active signatures.

Cisco IOS XE Everest16.4.1

UTD Snort IPSEnhancements for16.4 Release


Snort IPSFeature Information for Snort IPS

http://www.cisco.com/support

http://www.cisco.com/go/cfn

Snort IPS - cisco.com · Snort IPS...

Documents

Transcript of Snort IPS - cisco.com · Snort IPS...